An Open Source Black Duck scan shows Vulnerabilities with APM.
search cancel

An Open Source Black Duck scan shows Vulnerabilities with APM.


Article ID: 7647


Updated On:


CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE


A Black Duck security scan found the following vulnerabilities with APM 10.5.1.

CVE-2017-5644 : Apache POI,3.14 : Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

CVE-2016-3674: XStream Core - com.thoughtworks.xstream:xstream,1.4.8 Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

CVE-2012-5784 and CVE-2014-3596 : Apache Web Services Axis 1.4 : The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.


This is APM 10.5.1


1) CVE-2017-5644 :
APM 10.5.1 uses Apache POI 3.14. The CVE-2017-5644 vulnerability will be addressed in APM 10.6

2) CVE-2016-3674 :
APM 10.5.1 uses xstream 1.4.9. Vulnerability listed in the note is 1.4.8 and below versions.

3) CVE-2012-5784 and CVE-2014-3596 :
APM 10.5.1 uses Apache axis 1.4.1. vulnerability listed in the note is axis 1.4 or prior.